Computer Standards & Interfaces 97 (2026) 104097 Contents lists available at ScienceDirect Computer Standards & Interfaces journal homepage: www.elsevier.com/locate/csi Fully decentralized period k-times anonymous authentication with access criteriaI , II Hongyan Di a , Yinghui Zhang a ,∗, Ziqi Zhang a , Yibo Pang a , Rui Guo a , Yangguang Tian b a School of Cyberspace Security, Xi’an University of Posts & Telecommunications, 710121, Xi’an, China b University of Surrey, GU2 7XH, Surrey, UK ARTICLE INFO ABSTRACT Keywords: The explosive growth of Internet user devices highlights the strong and urgent need for digital identity Fully decentralized infrastructure. However, the existing decentralized identity schemes are still not fully decentralized, and there Publicly auditable is still a contradiction between publicly auditable credentials and maintaining anonymity. Therefore, using Access criteria advanced cryptographic techniques such as signature proof of knowledge, Pedersen commitment, and Merkle Anonymous authentication tree, this paper propose a fully decentralized period k-times anonymous authentication with access criteria. Signature proof of knowledge The scheme allows user credentials to be publicly audited, users can manage their identity independently, and the verifier can not only verify the user’s identity, but also implement access control. The issuer does not need to hold a key or maintain a list, and it can still authenticate even after the trusted center is attacked, and only three zero-knowledge proofs are needed for registration and verification. The security analysis indicates that this scheme satisfies unforgeability, anonymity, unlinkability and attribute privacy. Performance evaluation shows significant improvements in both computational and communication efficiency over existing schemes. 1. Introduction control over digital resources such as services. The core of this system is the concept of digital identity. The evolution of digital identity has gone With the surge in digital services accessed through network con- through multiple eras, during which digital identity recognition has nections, the number of digital identities has seen an unprecedented gradually shifted from centralized to decentralized identity models [3]. increase. Therefore, the vast majority of the global population has In fact, the way entities prove the ownership of digital identities may be at least one digital identity, which becomes the key to unlocking a affected by various vulnerabilities [4]. The current Internet ecosystem variety of online functions and services. However, the concept of digital generally adopts the centralized Identity Provider (IdP) model, with identity goes far beyond human identity recognition [1]. With the wide tech giants such as Google and Facebook (e.g., Meta) serving as the adoption of IoT and the powerful functions of the 5th Generation Mo- custodians of digital identities. Other services can directly rely on the bile Communication Technology (5G) network, as well as the upcoming identity information provided by IdP. This architecture simplifies the 6th Generation Mobile Communication Technology (6G), the number authentication process by achieving single sign-on through protocols of connected devices has increased significantly [2]. These devices such as OAuth, it has fundamental flaws when examined from the require unique digital identities to enable their participation in digital perspective of privacy protection, users lose control over their digital ecosystems, such as establishing secure communications. identities [5], and all their identity attributes are centrally stored in the Authentication and authorization are crucial security-related core IdP’s servers. Users neither know the specific usage of these data nor tasks in the digital world. Their purpose is to ensure the authenticity can they effectively manage their flow. More seriously, this architecture of the identities of the communicating parties and implement access has created a dangerous ‘‘data island’’ phenomenon—IdP can fully I This article is part of a Special issue entitled: ‘Information Security and Privacy’ published in Computer Standards & Interfaces. II This work is supported by the National Cryptologic Science Fund of China (2025NCSF02037), the National Natural Science Foundation of China (62072369), the Youth Innovation Team of Shaanxi Universities (23JP160), the Shaanxi Special Support Program Youth Top-notch Talent Program, the Technology Innovation Leading Program of Shaanxi (2023-YD-CGZH-31), the Technology Innovation Guidance Special Fund of Shaanxi Province (2024QY-SZX-17), the Graduate Innovation Fund of Xi ’an University of Posts and Telecommunications (CXJJBDL2024004). ∗ Corresponding author. E-mail addresses: 15029659213@163.com (H. Di), yhzhaang@163.com (Y. Zhang), qiqizhang0408@163.com (Z. Zhang), ybpang1998@163.com (Y. Pang), guorui@xupt.edu.cn (R. Guo), yangguang.tian@surrey.ac.uk (Y. Tian). URLs: https://www.xiyou.edu.cn/ (Y. Zhang), http://www.surrey.ac.uk (Y. Tian). https://doi.org/10.1016/j.csi.2025.104097 Received 12 July 2025; Received in revised form 26 September 2025; Accepted 11 November 2025 Available online 19 November 2025 0920-5489/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 grasp the cross-platform service usage trajectory and behavioral char- have emerged. These include zero-knowledge credentials, lightweight acteristics of users, essentially constructing a panoramic user profile. anonymous credentials without heavy zero-knowledge proofs and other IdP, on the other hand, can obtain information about all the network computationally intensive operations, self-blinding credentials, group services used by users (and related usage data). When the server storing signatures, AC schemes without unlinkability, and post-quantum AC user data is invaded, sensitive personal information may be ‘‘obtained’’ schemes. In order to reduce the trust dependence of the credential by malicious attackers, causing significant loss of personal data and issuance process on a central authority in traditional anonymous cre- damaging the reputation of stakeholders [6]. In 2022 alone, there were dential schemes, Garman et al. [14] proposed the concept of decen- over 1800 major data breaches worldwide, involving more than 400 tralized anonymous credential (DAC), which allows users to construct million user records. The increasing number of data breach cases has and manage credentials in a completely anonymous manner. Derler raised significant concerns to data confidentiality and transparency et al. [15] designed a new revocable multi-show attribute anonymous in the field of digital identity management. In addition, centralized credential based on previous work, which has good scalability and con- identity management systems rely on specific identity service nodes, stant operation of two roles. Bui and Aura [16] developed a distributed making them vulnerable to single point of failure problem [7]. access control revocation framework to facilitate the manipulation of Therefore, the increasing popularity of online services, the growing revocation methods. Subsequently, Sonnino et al. [17] proposed a trend of decentralization, and the rising awareness of the shortcomings special selective disclosure voucher solution based on blind signatures of traditional methods are paving the way for more secure and privacy- and bilinear pairing, which holds short and highly efficient vouch- protecting approaches. Under this trend, supported by current laws and ers. Inspired by Sonnino’s work, Halpin [18] redesigned the tagging regulations (such as the General Data Protection Regulation (GDPR) mechanism to improve scalability and support embedding arbitrary of the European Union) [8], the concept of Self-Sovereign Identity attributes. Cui et al. [19] constructed a Blockchain Digital Identity (SSI) [9] has attracted significant attention from both academia and Management System (BDIdM) by extending the functional features of industry. SSI is based on the idea that individuals should have full the DAC scheme [14], which enabled limited reusability of specific cre- control over their information without being forced to outsource data dentials on the premise of maintaining the security of the DAC scheme. to any centralized institution or third party. Such technologies play a In addition, decentralized anonymous credentials are widely integrated crucial role in establishing trust among entities (including non-human with other scenarios. Lin et al. [20] applied the DAC scheme to the entities such as humans and IoT devices) and ensuring communication smart grid scenario and enhanced the privacy protection mechanism. security through digital identities. Decentralized Identifiers (DIDs) and The solutions combined with the application scenarios of blockchain- Verifiable Credentials (VCs), as effective solutions for enhancing pri- based Internet of Vehicles include [21–25], Zeng et al. [26] also applied vacy and security, have been promoted in multiple application fields anonymous credentials to cross-domain authentication in IIoT. such as intelligent transportation and smart healthcare. These standards can be extended to anyone or anything, covering cloud, edge, and IoT 2.2. 𝑘-Time anonymous authentication (𝑘-TAA) resources. It is worth noting that several institutions, including industry giants such as Microsoft, have recently developed and released a variety The 𝑘-period anonymous authentication allows users to be authen- of implementation plans to support these technologies. In addition, ticated up to 𝑘-times within a certain time period while remaining global government agencies are also actively promoting the widespread anonymous. Teranishi et al. [27] introduced the first 𝑘-TAA scheme, application of DIDs and VCs. For instance, the European union pro- allowing the identification of users who exceeded the authentication mulgated regulation 2024/1183 [10] in May 2024, establishing the limit. Nguyen and Safavi-Naini [28] extended this concept to dynamic European digital identity framework, aiming to provide European cit- 𝑘-TAA, enabling each authenticator to independently grant or revoke izens with digital passes for cross-border access to public and private access rights. Au et al. [29] proposed a fixed-size dynamic 𝑘-times. services through the SSI system. This represents a significant milestone Chaterjee et al. [30] proposed a 𝑘-TAA scheme based on physically in the development of digital identity solutions. However, current unclonable functions (PUFs), which is applicable to trusted platform decentralized anonymous authentication schemes still face significant modules (TPM). Huang et al. [31] designed an efficient 𝑘-TAA system challenges. These include the inability to achieve full decentralization, tailored for pay-as-you-go pricing, facilitating multiple service accesses a lack of mutual trust between users and issuers, and the persistent and related payments within each certification cycle. However, many contradiction between public verifiability and true anonymity. Against existing 𝑘-TAA schemes fail to provide periodic anonymous authenti- this backdrop, AI-driven identity threat analysis has become a new cation. Although the existing schemes [32,33] support periodic anony- focus of security research. Initiatives such as the Global Digital Iden- mous authentication, they have deficiencies in supporting the selective tity Wallet (GDIW) have launched cross-border interoperability tests, disclosure of credential attributes to achieve fine-grained authentica- while ‘‘Digital Identity Chain’’ has completed the integration of DIDs tion. In addition, they require a large number of pairing operations, with the national government service platform—efforts that represent resulting in significant verification delays. In contrast, scheme [34,35] preliminary but critical explorations in addressing these underlying supports periodic 𝑘-times anonymous authentication while reducing issues. cumbersome pairing operations. However, scheme [34] does not sup- port credential revocation. As shown in Table 1, our scheme, while 2. Relate work meeting the above requirements, supports full decentralization and access control. 2.1. Decentralized anonymous credential (DAC) • Research Contributions In the 1980s, David Chaum [11,12] introduced privacy-preserving Next, we list the main research contributions of this paper. cryptographic techniques, aiming to create a more privacy-focused The Proposed Scheme: We propose a fully decentralized 𝑘-times and user-centered authentication and authorization solution. It enables period anonymous authentication scheme with access control. users to prove their membership, identity, or any other arbitrary at- The scheme enforces both access criteria and authentication dur- tribute in a group in a privacy-preserving manner. Such techniques are ing the verification process, while eliminating the need for issuers often referred to as anonymous credentials (ACs), and various methods to hold keys or maintain lists, thus remaining secure even if the for building AC systems have been widely studied in the academic com- trusted center is compromised. Only three zero-knowledge proofs munity. However, since Camenish and Lysyanskaya [13] first proposed are required for registration and verification. a completely anonymous credential scheme in 2001, a large number of Security Analysis: We conducted a correctness and theoretical anonymous credit construction schemes suitable for various scenarios security analysis based on the game definition of the proposed 2 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 Table 1 Function comparison. Security features [29] [30] [31] [33] [19] [34] [35] Our Scheme Anonymity ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Unlinkability ✓ N.A ✓ N.A ✓ ✓ ✓ ✓ 𝑘-times period anonymous authentication × × × ✓ × ✓ N.A ✓ Publicly auditable N.A × N.A N.A ✓ ✓ ✓ ✓ Select attribute disclosure × × × × ✓ ✓ N.A ✓ Key forward and backward secure ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Reveal violator’s identity without TTP ✓ ✓ × ✓ ✓ ✓ × ✓ Issuer not hold key and identity list × × × × × × × ✓ Support credential revocation ✓ ✓ ✓ ✓ ✓ × ✓ ✓ Note*: ✓: Support this feature; ×: Does not support this feature; N.A: No applicable; TTP: Trusted third party. scheme. By simulating games and citing programmable random 3.2. Zero-knowledge proof oracles and fork lemmas, among other techniques, we demon- strated that the scheme meets the requirements of unforgeability, A signature proof of knowledge (SPK) is a non-interactive zero- anonymity, unlinkability, and attribute privacy. This analysis em- knowledge proof (ZKP) technique that enables a prover to demonstrate phasizes that the plan has protected the integrity and validity of the data. knowledge of a secret value without revealing it, while also signing Performance Evaluation: We conducted a detailed analysis of a message. We constructed a cyclic group G of prime order 𝑞 and this authentication scheme, demonstrating its efficiency advan- employed the Fiat–Shamir heuristic [36] to convert an interactive tages over existing authentication schemes. Tests were also car- proof into a non-interactive one. These non-interactive constructs are ried out on secp256k1 and BLS12-381 curves, verifying that the precisely referred to as signature proofs of knowledge (SPK). All the proposed algorithm performs better on lightweight curves. signatures of knowledge are secure in the random oracle model. Ac- • Structure of Paper cording to the symbols introduced by Camenisch and Stadler [37], The remaining paper is structured as follows: Section 3 intro- 𝑃 𝑜𝐾{(𝑥) ∶ 𝑦 = 𝑔 𝑥 } represents the zero-knowledge proof protocol duces the problem assumptions and fundamentals. Section 4 de- between the prover and the verifier. Such prover knows 𝑥 ∈ Z𝑝 and fines the syntax, security model, and detailed construction of 𝑦 = 𝑔 𝑥 ∈ G. The corresponding non-interactive signature knowledge the scheme. Section 5 analyzes its correctness and theoretical proof on the message 𝑚 should be expressed as 𝑆𝑃 𝐾{(𝑥) ∶ 𝑦 = 𝑔 𝑥 }(𝑚). security. Section 6 evaluates performance in terms of computation It can be regarded as a signature on the message 𝑚, which is signed by and communication overhead, and Section 7 concludes the paper. a key pair (𝑔 𝑥 , 𝑥) based on discrete logarithms. 3. Preliminaries 3.3. Pedersen commitment 3.1. Group description and hardness assumptions Literature [38] uses Poseidon to realize the hash of Merkle tree A group generator 𝐺𝐺𝑒𝑛(1𝜅 ) → (G, 𝑞) inputs a security parameter 𝜅 and commitment. Instantiate another method of using Pedersen hash- and outputs a cyclic group G of prime order 𝑞. This scheme is based on ing and perfectly hiding commitments in the scheme. The Pedersen the following hard problem assumption. commitment algorithm as follows: Definition 2.1 (Discrete Logarithm Problem (DLP) Assumption). Let 𝑔 be • 𝐺𝑒𝑛(1𝜅 ) → 𝑐𝑘 ∶ Select a finite group G with a large prime order a generator of a group G. Given a tuple (𝑔, 𝑔 𝑎 ) ∈ G2 , where 𝑎 ∈ Z∗𝑞 , the 𝑞, and choose two generators 𝑔 and ℎ from the group G. The Discrete Logarithm Problem is output 𝑎. The DLP assumption holds if parameters of this commitment scheme are 𝑐𝑘 = (G, 𝑞, 𝑔, ℎ). for all PPT adversary , the advantage is negligible. • 𝐶𝑜𝑚𝑚𝑖𝑡(𝑐𝑘, 𝑢) → 𝑐: Generate a commitment 𝑐 for a secret value 𝑢. AdvDLP  (𝜅) = |𝑃 𝑟[(𝑔, 𝑔 )| = 𝑎] ≤ 𝑛𝑒𝑔𝑙(𝜅). 𝑎 The commitment party randomly selects a blind factor 𝑟 and then calculates 𝑐 = 𝑔 𝑢 ℎ𝑟 . • 𝑂𝑝𝑒𝑛𝐶𝑜𝑚(𝑐𝑘, 𝑐, 𝑢, 𝑟) → 0∕1: The verifier checks whether 𝑐 is equal Definition 2.2 (Decisional Diffie–Hellman (DDH) Assumption). Let G to 𝑔 𝑢 ℎ𝑟 . be a group of order a large prime 𝑞, 𝑔 be the generator of G. The input is a random quadruple  = (𝑔, 𝑔 𝑥 , 𝑔 𝑦 , 𝑔 𝑥𝑦 ) ∈ G3 , and quadruple  = (𝑔, 𝑔 𝑥 , 𝑔 𝑦 , 𝑔 𝑧 ) ∈ G3 , where 𝑥, 𝑦, 𝑧 ← Z∗𝑞 . It is computationally hard 3.4. Merkle tree for adversary  to distinguish between two tuples, the advantage of PPT adversary  is negligible. In the proposed scheme, the Merkle tree 𝑇 is used to represent the 𝐴𝑑𝑣DDH  (𝜅) = |𝑃 𝑟[() = 1] − 𝑃 𝑟[() = 1]| ≤ 𝑛𝑒𝑔𝑙(𝜅). membership of the set. The root of the tree 𝑇 is denoted 𝑇𝑟𝑜𝑜𝑡 . The Merkle tree has the following functions: Definition 2.3 (Computing Diffie–Hellman (CDH) Assumption). Let G be a cyclic group of order 𝑞 with generator 𝑔. Given the tuple  = • 𝑇 .𝐼𝑛𝑠𝑒𝑟𝑡(𝑣) → 𝑇 ∶ Inserts the value 𝑣 into the next available leaf (𝑔, 𝑔 𝑎 , 𝑔 𝑏 ) where 𝑎, 𝑏 ← Z∗𝑞 , computing 𝑔 𝑎𝑏 is hard. For all probabilistic in 𝑇 and returns the modified tree. polynomial-time (PPT) algorithms , the advantage probability of • 𝑇 .𝑅𝑒𝑚𝑜𝑣𝑒(𝑣) → 𝑇 ′ ∶ Removes 𝑣 from the tree, if it exists, and successfully solving the CDH problem is negligible. returns the modified tree 𝑇 ′ . | [ ]| • 𝑇 .𝐴𝑢𝑡ℎ𝑃 𝑎𝑡ℎ(𝑣) → 𝜃 ∶ Generate an authentication path 𝜃 that 𝐴𝑑𝑣𝐶𝐷𝐻 (𝜅) = |𝑃 𝑟 (𝑔, 𝑔 𝑎 , 𝑔 𝑏 ) = 𝑔 𝑎𝑏 | ≤ 𝑛𝑒𝑔𝑙(𝜅).  | | proves 𝑣 ∈ 𝑇 . The size of 𝜃 is proportional to the height of the where 𝜅 is a security parameter, 𝑛𝑒𝑔𝑙(𝜅) denotes a negligible function. tree, ensuring efficient verification in cryptographic protocols. 3 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 Table 2 Summary of notations. Symbol Description  , ,  User, Issuer, Verifier 𝜆 Security parameter ℎ The maximum height of the Merkle tree 𝑚 The maximum number of attributes 𝑛 The number of access criteria the verifier is allowed to define 𝜄𝑝𝑢𝑏 , 𝜄𝑧𝑘 Verify the access policy for ancillary information when the request is issued 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 Auxiliary information when requesting registration 𝜙𝑖 The verifier defines the 𝑖th access criterion 𝑎𝑢𝑥𝑖 Show proof of auxiliary information { }𝑚 𝐴𝑡𝑡𝑟𝑠 = 𝑎𝑡𝑡𝑟𝑖 𝑖=1 The 𝑖th attribute of the user and the attribute set 𝑤 Witness Collection 𝑐𝑡𝑥 Context information 𝐼, 𝑉 Collection of issuance criteria and access criteria 𝛱𝑈1 , 𝛱𝑉1 , 𝛱̃ Zero-knowledge proofs generated by the user and issuer 𝑠′′ ← Z∗𝑞 A secret random number randomly selected by the issuer 𝜃 The authentication path generated by the Merkle tree 𝑇𝑟𝑜𝑜𝑡 , 𝑇𝜅 , 𝑇𝜅′ Merkle tree root, Merkle tree, updated Merkle tree Note*: 𝜄, 𝜙 ∶  → {0, 1} is a predicate over the user’s attributes that needs to be satisfied in order to pass verification, i.e., verification only passes if 𝜄𝑝𝑢𝑏 (𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) = 1, 𝜙(𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥) = 1. 3.5. Pseudo-Random Function (PRF) • 𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1ℎ , 1𝑚 ) → 𝑝𝑝 ∶ The algorithm inputs the security pa- rameter 𝜆, the maximum height ℎ of the Merkle tree, and the A Pseudo-Random Function (PRF) is a family of computational func- maximum number 𝑚 of attributes in a credential. Generates the { } system parameters 𝑝𝑝. tions 𝐹𝑘 , where 𝑘 is a key and 𝐹𝑘 is a function from the input space to the output space. For an ideal PRF, when the key 𝑘 is unknown, its • 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 (𝑝𝑝) → (𝐼, 𝜄𝑝𝑢𝑏 ) ∶ The algorithm inputs the public output is computationally indistinguishable from that of a true random parameter 𝑝𝑝, outputs the issue criteria set 𝐼 and the issue criteria for verifying public auxiliary information 𝜄𝑝𝑢𝑏 . function. We construct a PRF with efficient correctness proof. We adopt the specific PRF construction proposed by Dodis and Yampolskiy [39] • 𝑆ℎ𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 (𝑝𝑝) → 𝑉 ∶ The verifier sets up 𝑛 access criteria to (DY-PRF). The DY-PRF is defined by the tuple (G, 𝑞, 𝑔, 𝑠), where G = ⟨𝑔⟩ define the user’s access policy. This algorithm outputs a collection of access criteria 𝑉 = {𝜙1 , 𝜙2 , … , 𝜙𝑛 } where each 𝜙𝑖 represents an is a cyclic group of prime order 𝑞 and 𝑠 ∈ Z𝑞 . For an input 𝑘, 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) access criteria. is defined as 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) ∶ 𝑘 ↦ 𝑔 −(𝑠+𝑘+1) . There exists an efficient proof of • 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞 ( ( 𝑈 (𝑝𝑝, 𝐼, 𝐴𝑡𝑡𝑟𝑠, ) ) 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) 𝑤, 𝑐𝑡𝑥, → correct formation for the output, and as long as the 𝑞-DDHI assumption 𝐶𝑚, 𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ∶ The issue request algorithm inputs holds, the output 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) is indistinguishable from a random element the public parameters 𝑝𝑝, the issue criteria 𝐼, the set of attributes in G𝑞 . 𝐴𝑡𝑡𝑟𝑠 of  , the secret value 𝑤, the context 𝑐𝑡𝑥, and the auxiliary information (𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ).  generates the 𝛱𝑈1 associated with 4. Proposed scheme 𝑖𝑎𝑢𝑥𝑧𝑘 and outputs ((𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ). • 𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 (𝑝𝑝, (𝐼, 𝜄𝑝𝑢𝑏 ), (𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) → In this section, we describe in Table 2 all the symbolic definitions (𝑠′′ , (𝜃, 𝑇𝑟𝑜𝑜𝑡 ), 𝑘, 𝑇𝜅 ) ∶ The algorithm inputs the zero-knowledge sig- involved as well as the implications, followed by defining the syntax nature 𝛱𝑈1 , and the auxiliary information (𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ). Then and designing the scheme.  return the random value 𝑠′′ , authentication path 𝜃, number of times 𝑘 to  , and locally generated Merkle tree 𝑇𝜅 . { }𝑛 { } • 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑𝑈 (𝑝𝑝, 𝑉 , 𝑇𝑟𝑜𝑜𝑡 , 𝑐𝑟𝑒𝑑, 𝜃, 𝑤𝑖 , 𝑎𝑢𝑥𝑖 𝑖=1 ) → (𝛱, ̃ 𝑎𝑢𝑥𝑖 𝑛 ) ∶ 4.1. Syntax and security model 𝑖=1  inputs the root 𝑇𝑟𝑜𝑜𝑡 of the affiliated tree, the credential 𝑐𝑟𝑒𝑑, and the authentication path 𝜃.  shows that the sent credential 4.1.1. Security definition satisfies the access criterion 𝜙𝑖 and proves that the displayed The security of the system is defined by the standard properties credential { } belongs to the tree 𝑇𝜅 . Then, the algorithm outputs of anonymous credentials, including unforgeability, anonymity, un- ̃ 𝑎𝑢𝑥𝑖 𝑛 ). (𝛱, 𝑖=1 { } linkability, and attribute privacy. In our model, the attacker is as- • 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤𝑉 (𝑝𝑝, 𝑉 , (𝑐𝑟𝑒𝑑, 𝑇𝑟𝑜𝑜𝑡 ), (𝛱, ̃ 𝑎𝑢𝑥𝑖 𝑛 )) → 0∕1 ∶  ver- 𝑖=1 sumed to have only polynomial-time computational capability, and all ifies that the credentials 𝑐𝑟𝑒𝑑 displayed by  meet the access communications occur over open channels. criteria and that 𝑐𝑟𝑒𝑑 belongs to the Merkle tree 𝑇𝜅 ,  outputting Threat Model. Our model considers adversaries as external attack- 0/1. ers intercepting or modifying communications without breaking hard • 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑𝐼 (𝑝𝑝, 𝑇𝜅 , 𝑐𝑟𝑒𝑑) → 𝑇𝜅′ ∶  revoke the 𝑐𝑟𝑒𝑑 registered by cryptographic problems, internal attackers misusing valid credentials dishonest users and update the Merkle tree 𝑇𝜅 to 𝑇𝜅′ . for forgery, transfer, or link attacks, semi-honest verifiers inferring user identities or attributes while following the protocol, and trusted-but- 4.1.3. Security requirements curious issuers complying with the protocol but attempting to snoop The scheme is required to satisfy the following security require- on user data. ments: Unforgeability: Attackers cannot forge valid credentials and de- ceive validators into performing correct verification. This game is 4.1.2. Syntax definition reduced to discrete logarithm or CDH problems. Referring to the ideal function  in [38], the zk-credit anonymous Anonymity: Credentials are displayed without revealing the user’s credential approach realizes  using Groth16 [40], which is not suitable identity. This game specification is reduced to the DDH problem. for authentication. In this work,  is instantiated using signatures of Unlinkability: Different displays of the same certificate cannot knowledge, resulting in an algorithm that meets the authentication be linked, even if the merkle path remains identical across multiple requirements. The specific algorithm is as follows: authentications. 4 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 Fig. 1. System Model. Attribute Privacy: Hides attributes when displaying credentials from untrusted channels, forge information and impersonate users. unless the access policy requires them to be displayed. Therefore, this paper adopts the method of zero-knowledge proof to Security is analyzed using a formal game-based model [41] under realize the user’s verification of the certificate sent by the issuer, and the random oracle assumption [42]. The game is defined as follows: prove to the verifier that the certificate is the user’s own, and at the same time, it can reduce the risk of privacy leakage. As shown in Fig. Game 1: Unforgeability Game 1. Setup. The challenger-1 run system initialization algorithm 𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1ℎ , 1𝑚 ) generate 𝑝𝑝, send 𝑝𝑝 to adversary 1 . 1 save issuer • Issuer: The issuer is the issuer of the certificate, usually an private key 𝑖𝑠𝑘. authority or trusted entity (such as government, enterprise, de- Query. In this phase, the adversary 1 can querie three random centralized organization, etc.), which is responsible for verifying oracles, as follows: the identity or attribute of the user and generating the encrypted credential. Before sending the certificate, the issuing criteria will 1. − 𝑄𝑢𝑒𝑟𝑦: 1 query random oracle 1 , 2 , 3 , 1 random re- be verified. sponse and recording. • User: The user is the holder of the credential, requests the cre- 2. 𝑄𝑢𝑒𝑟𝑦2 : 1 query the issuer to registered certificate, 1 use dential from the issuer, upon receipt, verifies the credential. the simulator  Simulate the interaction between 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞 and • Verifier: The verifier is the receiver of credentials, who receives 𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡, using the programmability of random oracle to gen- the user’s credentials, goes through a secure channel, downloads erate effective 𝑆𝑃 𝐾2 . the criteria and auxiliary verification data, verifies the access 3. 𝑄𝑢𝑒𝑟𝑦3 : 1 query certificate display, simulate the interaction criteria, and then verifies the user’s identity. between 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑 and 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤, and simulate 𝑆𝑃 𝐾3 using a zero-knowledge simulator. 4.2.1. System ( initialization ) 𝑆𝑒𝑡𝑢𝑝 1𝜆 , 1ℎ , 1𝑚 → 𝑝𝑝 ∶ Forgery. 1 output a forged certificate 𝑐𝑟𝑒𝑑 ∗ , correspond Merkle −  select a cyclic group G of order 𝑞, and generate generators tree path 𝜃 ∗ , satisfy that 𝑐𝑟𝑒𝑑 ∗ is not on the list of previously issued 𝑢, {𝑢𝑖 }𝑖∈[0,𝑛] ) ∈ G, along with hash functions 𝐻1 ∶ (𝑔0 , 𝑔1 , 𝑔2 , 𝛾, ℎ0 , ℎ1 , ℎ2 , ̃ credentials. 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤 accept 𝑐𝑟𝑒𝑑 ∗ and 𝜃 ∗ . 1 wins conditional on {0, 1}∗ → Z∗𝑞 and 𝐻2 ∶ {0, 1}∗ × {0, 1}∗ → Z∗𝑞 ; the output of valid forged credentials. − Define a Merkle tree of height ℎ, where for public input (𝑇𝑟𝑜𝑜𝑡 , 𝑐𝑟𝑒𝑑), it can prove 𝑐𝑟𝑒𝑑 ∈ 𝑇𝜅 through an authentication path 𝜃; Game 2: Anonymity and Unlinkability Game − Define the global period 𝑒𝑝𝑜𝑐ℎ and pseudorandom function Setup. The challenger-2 run system initialization algorithm 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) ∶ 𝑘 ↦ 𝑔𝑠+𝑘+1 1 ; 𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1ℎ , 1𝑚 ) generate 𝑝𝑝, send 𝑝𝑝 to adversary 2 . 2 save issuer 𝑦 −  selects random number 𝑦1 , 𝑦2 ← Z∗𝑞 , computes 𝑌1 = ℎ11 , 𝑌2 = private key 𝑖𝑠𝑘. 𝑦2 ℎ2 , and sets the issuer secret key 𝑖𝑠𝑘 = (𝑦1 , 𝑦2 ) and issuer public key Query. Adversary 2 can continue to query issuance and pre- 𝑖𝑝𝑘 = (𝑌1 , 𝑌2 ); ( sentation, but cannot query revocation or presentation of challenge − Set the public parameters 𝑝𝑝 ) ∶= 𝑞, G, 𝑔0 , 𝑔1 , 𝑔2 , 𝛾, ℎ0 , ℎ1 , ℎ2 , credentials. 𝑢, {𝑢𝑖 }𝑖∈[0,𝑛] , 𝐻1 , 𝐻2 , 𝑇𝜅 (, 𝑇𝑟𝑜𝑜𝑡 , 𝑒𝑝𝑜𝑐ℎ, ̃ 𝑖𝑝𝑘 . challenge. The adversary 2 selects the identity and attribute sets ) ( ) ( ) 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 (𝑝𝑝) → 𝐼, 𝜄𝑝𝑢𝑏 ∶ of two users, 𝐼0 , 𝐴𝑡𝑡𝑟𝑠0 ∗ , 𝐼1 , 𝐴𝑡𝑡𝑟𝑠1 ∗ , which satisfy the same access − Define the relevant issuance criteria 𝜄 = (𝜄𝑧𝑘 , 𝜄𝑝𝑢𝑏 ), set policy. Send it to the challenger 2 . 2 randomly selects 𝑏 ← {0, 1} 𝐼𝑠𝑠𝑢𝑒𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝐼] ∶= 𝐼𝑠𝑠𝑢𝑒𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝐼] ∪ 𝜄; to generate a credential for 𝐼𝑏 and display it (i.e., run 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑 to − For the public input auxiliary information 𝑖𝑎𝑢𝑥𝑧𝑘 , prove: generate 𝛱𝑏 ), and then gives 𝛱𝑏 to 2 . 𝜄𝑧𝑘 (𝐴𝑡𝑡𝑟𝑠, 𝑖𝑎𝑢𝑥𝑧𝑘 ) = 1; Guess. 2 outputs 𝑏′ and wins if 𝑏′ = 𝑏. − Publish (𝐼, 𝜄𝑝𝑢𝑏 ). 𝑆ℎ𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 (𝑝𝑝) → 𝑉 ∶ 4.2. Scheme construction −  define access criteria 𝜙 for user attributes 𝐴𝑡𝑡𝑟𝑠 (Multiple access criteria 𝜙𝑖 can be defined), and set 𝐴𝑐𝑐𝑒𝑠𝑠𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝑉 ] In this scheme, the user is untrusted, the issuer is semi-trusted, the ∶= 𝐴𝑐𝑐𝑒𝑠𝑠𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝑉 ] ∪ {𝜙𝑖 }; channel between the verifier and the issuer is trusted, and the rest of − For public input (𝑇root , 𝑐𝑟𝑒𝑑, 𝑎𝑢𝑥), prove: 𝜙(𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥) = 1𝛬𝑐𝑟𝑒𝑑; the channels are untrusted channels. Attackers can steal information − Publish the access criteria set 𝑉 . 5 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 4.2.2. Credential registration Proof 𝛱̃ = 𝑆𝑃 𝐾3 . The generation of 𝛱̃ = 𝑆𝑃 𝐾3 is as follows: ( ( )) 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞𝑈 𝑝𝑝, 𝐼, 𝐴𝑡𝑡𝑟𝑠, 𝑤, 𝑐𝑡𝑥, 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 → ( ) ( ( 1 ) ) ⎧ 𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠, 𝛼0 , 𝑥𝑢 , 𝑠, 𝑡, 𝑛𝑗 , 𝑎𝑡𝑡𝑟𝑗 ∉ 𝐴𝑇 𝑇 𝑅 ∶ ⎫ 𝐶𝑚, 𝛱𝑈 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ∶ ⎪ 𝛼 ⎪ ⎪ 𝑋0 = 𝑔0 0 𝛾 𝐻1 (𝜃) ⎪ −  generate anonymous key 𝑛𝑘 and rate-limiting key 𝑟𝑘 us- ⎪ ∧ 𝜁 ′ = 𝑌1𝑥𝑢 𝑌2𝑠 ⋅ 𝐶𝑚𝑡 ⎪ ing pseudorandom function 𝑃 𝑅𝐹 and context 𝑐𝑡𝑥, calculate 𝑛𝑘 ∶= ⎪ 1 ⎪ 𝑃 𝑅𝐹 (𝑐𝑡𝑥), 𝑟𝑘 ∶= 𝑃 𝑅𝐹 (𝑒𝑝𝑜𝑐ℎ ∥ 𝑐𝑡𝑥), define 𝑚 attributes 𝐴𝑡𝑡𝑟𝑠 = ⎪ ∧ 𝜂 = 𝑃 𝑅𝐹𝑟𝑘,𝑢̃ (𝑛𝑗 ) = 𝑟𝑘+𝑛 +1 ⎪ ⎪ 𝑢̃ 𝑗 ⎪ {𝑎𝑡𝑡𝑟1 , 𝑎𝑡𝑡𝑟2 , … , 𝑎𝑡𝑡𝑟𝑚 }; 𝛱̃ = 𝑆𝑃 𝐾3 ⎨ 𝑥𝑢 𝑅 𝑥𝑢 𝑅 𝑛𝑘+𝑛𝑗 +1 ⎬ − Select a random blind factor 𝑟 ← Z∗𝑞 and compute pedersen ⎪ ∧ 𝛤 = 𝑢0 𝑃 𝑅𝐹𝑛𝑘,𝑢̃ (𝑛𝑗 ) = 𝑢0 ⋅ 𝑢̃ ⎪ ⎪ ∧ 0 ≤ 𝑛𝑗 < 𝑘 ⎪ commitment 𝐶𝑚, where 𝐶𝑚 ∈ G: ⎪ ⎪ ( 𝑚 ) ⎪ ∧ 𝜙 1 (𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥 1 ) = 1 ⎪ ∏ 𝐻 (𝑎𝑡𝑡𝑟 ) ⎪ ∧ ⋮ ⎪ 𝐶𝑚 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠; 𝑟) = 𝑔1𝑛𝑘 𝑔2𝑟𝑘 𝑢𝑖 1 𝑖 ⋅ ℎ𝑟0 ; ⎪ ∧ 𝜙 (𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥 ) = 1 ⎪ ⎩ 𝑖 𝑖 ⎭ 𝑖=1 ( ) − Set 𝑤 ∶= (𝑟, 𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠) (collect private witness 𝑤), select × 𝑎𝑢𝑥𝑖 , 𝑋0 , 𝜁 ′ , 𝜂, 𝛤 , 𝑇𝑟𝑜𝑜𝑡 ; 𝑥𝑢 , 𝑠′ , 𝑡 ← Z∗𝑞 and generate 𝛱𝑈1 : − Send (𝛱, ̃ {𝑎𝑢𝑥𝑖 }𝑛 , 𝑋0 , 𝜁 ′ , 𝜂, 𝛤 , (𝜃, 𝑇𝑟𝑜𝑜𝑡 ), 𝛷′ , 𝑎𝑡𝑡𝑟𝑖 ∈ 𝐴𝑇 𝑇 𝑅 ) to the 𝑖=1 ⎧ ( ) ⎫ verifier . 𝑥𝑢 , 𝑠′ , 𝑡, 𝑟, 𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠 ∶ ⎪ ( ( ) ( { } )) ⎪ 𝑥𝑢 𝑠′ 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤𝑉 𝑝𝑝, 𝑉 , 𝑐𝑟𝑒𝑑, 𝑇𝑟𝑜𝑜𝑡 , 𝛱, ̃ 𝑎𝑢𝑥𝑖 𝑛 → 0∕1 ∶ ⎪ 𝑋𝑢 = 𝑔1 𝑔2 ⎪( ) 𝑖=1 𝛱𝑈1 = 𝑆𝑃 𝐾1 ⎨ 𝑥𝑢 𝑠′ 𝑡 ⎬ 𝑋𝑢 , 𝜁, 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ; −  checks whether the user’s submitted 𝛷′ matches its defined ⎪ ∧ 𝜁 = 𝑌 𝑌 ⋅ 𝐶𝑚 ⎪ ( 1 2 ) access criteria set 𝛷. Using 𝜃, verify and calculate 𝑐𝑟𝑒𝑑 = 𝜁 ′ ⋅𝑢0 2 ? 𝐻 (𝑒𝑝𝑜𝑐ℎ∥𝑘) . ⎪ ∧ 𝜄𝑧𝑘 𝐴𝑡𝑡𝑟𝑠, 𝑖𝑎𝑢𝑥𝑧𝑘 = 1 ⎪ ⎩ ⎭ If (𝜂, 𝛤 ) is valid, it proves that 𝑛𝑗 is within the range allowed to be 1 −  send (𝛱𝑈 , 𝑋𝑢 , 𝜁, 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) to Issuer ; displayed within 𝑒𝑝𝑜𝑐ℎ; −  received 𝛱𝑉1 . If verification passes, receive the returned au- − If verification succeeds, accept the request, otherwise reject it and thentication path 𝜃, 𝑠′′ and 𝑘; invoke the 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑 function to revoke 𝑐𝑟𝑒𝑑. For the specific process, − Locally store (𝑛𝑘, 𝑟𝑘, 𝑟, 𝐴𝑡𝑡𝑟𝑠, 𝜃, 𝑠, 𝑡, 𝑒𝑝𝑜𝑐ℎ, 𝑘), where 𝑠 = 𝑠′ + 𝑠′′ and please refer to Fig. 2. 𝑘 is the maximum allowed accesses within epoch 𝑒𝑝𝑜𝑐ℎ. 𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 (𝑝𝑝, (𝐼, 𝜄𝑝𝑢𝑏 ), (𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) → ( ( ) ) 4.2.4. Credential revocation 𝑐𝑟𝑒𝑑, 𝑠′′ , 𝜃, 𝑇𝑟𝑜𝑜𝑡 , 𝑘, 𝑇𝜅 ∶ ( ) 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑 𝑝𝑝, 𝑇𝜅 , 𝑐𝑟𝑒𝑑 → 𝑇𝜅′ ∶ − verify 𝜄𝑝𝑢𝑏 (𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ), 𝜄𝑝𝑢𝑏 checks for publicly auxiliary information − Search for 𝑐𝑟𝑒𝑑 ∈ 𝑇𝜅 , if 𝑐𝑟𝑒𝑑 is not found, terminate the process; 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ; − Else run 𝑇𝜅′ ∶= 𝑇𝜅 . Remove(𝑐𝑟𝑒𝑑), store and update the Merkle − Verify 𝛱𝑈1 ∶= 𝑆𝑃 𝐾1 , where 𝛱𝑈1 proves the correctness of tree 𝑇𝜅′ ; (𝜁, 𝑋𝑢 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) and that the hidden attributes satisfy the issuance − Return 𝑇𝑘′ and publicly notify that 𝑐𝑟𝑒𝑑 has been revoked. criteria 𝜄𝑧𝑘 . If verification fails, reject issuance and abort ⟂; − Else verification passes,  randomly selects 𝑠′′ ← Z∗𝑞 , and define 5. Analysis of correctness and security the maximum times of accesses 𝑘 allowed by users within 𝑒𝑝𝑜𝑐ℎ, ′′ 𝐻 (𝑒𝑝𝑜𝑐ℎ∥𝑘) calculate 𝑐𝑟𝑒𝑑 ∶= (𝜁 ⋅ 𝑌2𝑠 ) ⋅ 𝑢0 1 , run 𝑇𝜅 = 𝑇 .Insert(𝑐𝑟𝑒𝑑) registers 5.1. Correctness analysis the anonymous credential. Where the registered 𝑐𝑟𝑒𝑑 is only known privately by the issuer. Then, run 𝜃 = 𝑇𝜅 .AuthPath(𝑐𝑟𝑒𝑑) generate authentication path. Updated Merkle tree root 𝑇𝑟𝑜𝑜𝑡 , and upload to a 5.1.1. Details of 𝑆𝑃 𝐾1 public panel such as blockchain; 𝑆𝑃 𝐾1 can be implemented using standard discrete logarithm proof techniques. − Next, select 𝑧0 , 𝑧1 ← Z∗𝑞 and generate 𝛱𝑉1 : ( ) 1. (Commitment.) User  randomly selects 𝑠1 , 𝑠2 , 𝑠3 ∈𝑅 Z∗𝑞 and ⎧ 𝑧0 , 𝑧1 , 𝑦1 , 𝑦2 ∶ ⎫ 1 ⎪ 𝑌 = ℎ 𝑦1 𝑦2 ℎ ⎪( ′′ ) computes: 𝛱𝑉 = 𝑆𝑃 𝐾2 ⎨ 𝑢 ( 1 2 ′′ )𝑧1 ⎬ 𝑌𝑢 , 𝑠 , 𝑘,  ; 𝑠 𝑠 𝑠 𝑠 𝑦 𝑦 ⎪ ∧ = 𝜁 ⋅𝑌 𝑠 𝐻 2 (𝑒𝑝𝑜𝑐ℎ∥𝑘)⋅𝑧 0 ⎪ 𝑇1 = 𝑔11 𝑔22 , 𝑇2 = 𝑌1 1 𝑌2 2 ⋅ 𝐶𝑚𝑠3 = (ℎ11 )𝑠1 (ℎ22 )𝑠2 ⋅ 𝐶𝑚𝑠3 . ⎩ 2 ⋅ 𝑢0 ⎭ 2. (Challenge.) The scheme uses non-interactive zero-knowledge −  store the Merkle tree 𝑇𝜅 and send (𝛱𝑉1 , 𝑠′′ , 𝑘, 𝜃) to user  . proof, where the user  generates challenge 𝑐: 4.2.3. Show and verification certificate 𝑐 = 𝐻(𝑇1 ∥ 𝑇2 ∥ 𝑋𝑢 ∥ 𝜁 ∥ 𝑖𝑎𝑢𝑥𝑧𝑘 ∥ 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ). ( { }𝑛 ) ( { } ) ̃ 𝑎𝑢𝑥𝑖 𝑛 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑𝑈 𝑝𝑝, 𝑉 , 𝑇𝑟𝑜𝑜𝑡 , cred, 𝜃, 𝑤𝑖 , 𝑎𝑢𝑥𝑖 𝑖=1 → 𝛱, ∶ 𝑖=1 3. (Proof.)  generates proof 𝛱𝑈1 that satisfies issuer policy − User  sends an access request message 𝑚𝑠𝑔, and the verifier 𝜄𝑧𝑘 , 𝜄𝑧𝑘 (𝐴𝑡𝑡𝑟𝑠, 𝑖𝑎𝑢𝑥𝑧𝑘 ) = 1, and computes 𝑆1 = 𝑠1 − 𝑐 ⋅ 𝑥𝑢 , 𝑆2 = returns a random number 𝑅 = 𝐻2 (𝑛𝑜𝑛𝑐𝑒 ∥ 𝑚𝑠𝑔); 𝑠2 − 𝑐 ⋅ 𝑠′ , 𝑆3 = 𝑠3 − 𝑐 ⋅ 𝑡. The proof 𝛱𝑈1 = (𝑐, 𝑆1 , 𝑆2 , 𝑆3 ), and sends −  locally retrieves the verifier’s access criteria 𝑉 and the root ((𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) to the issuer . node 𝑇𝑟𝑜𝑜𝑡 of the tree containing 𝑐𝑟𝑒𝑑; 𝑆 𝑆 𝑆 𝑆 4. (Verify.)  computes 𝑇1′ = 𝑋𝑢𝑐 𝑔1 1 𝑔2 2 , 𝑇2′ = 𝜁 𝑐 𝑌1 1 𝑌2 2 ⋅ 𝐶𝑚𝑆3 , and ? ? − Upon receiving (𝑛𝑜𝑛𝑐𝑒, 𝑅), verify 𝑅 = 𝐻2 (𝑛𝑜𝑛𝑐𝑒 ∥ 𝑚𝑠𝑔), then verify: 𝑐 = 𝐻(𝑇1′ ∥ 𝑇2′ ∥ 𝑋𝑢 ∥ 𝜁 ∥ 𝑖𝑎𝑢𝑥𝑧𝑘 ∥ 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ). If verification randomly select 𝛼0 ← Z∗𝑞 . For 𝑛 access criteria 𝛷′ = {𝜙1 , 𝜙2 , … , 𝜙𝑛 }, passes, then 𝛱𝑈1 is correct, otherwise abort. partition the attribute set into public attributes 𝐴𝑇 𝑇 𝑅 and secret attributes {𝑎𝑡𝑡𝑟𝑗 ∉ 𝐴𝑇 𝑇 𝑅 }. Compute the commitment using blind 5.1.2. Details of 𝑆𝑃 𝐾2 factor 𝑟: SPK2 can also be implemented using standard discrete logarithm 𝐶𝑚 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑛𝑘, 𝑟𝑘, {𝑎𝑡𝑡𝑟𝑗 ∉ 𝐴𝑇 𝑇 𝑅 }; 𝑟) proof techniques. ⎛ ∏ ⎞ ∏ 𝐻 (𝑎𝑡𝑡𝑟 ) 1. (Commitment.) The issuer/trust authority randomly selects = ⎜𝑔1𝑛𝑘 𝑔2𝑟𝑘 ⋅ 𝑢𝑖 1 𝑗 ⋅ ℎ𝑟0 ⎟ ⋅ 𝐻 (𝑎𝑡𝑡𝑟 ) 𝑢𝑖 1 𝑖 ; ⎜ ⎟ 𝑡1 , 𝑡2 , 𝑡3 , 𝑡4 ∈𝑅 Z∗𝑞 and computes: ⎝ 𝑎𝑡𝑡𝑟 𝑗 ∉𝐴𝑇 𝑇 𝑅 ⎠ 𝑎𝑡𝑡𝑟 𝑖 ∉𝐴𝑇 𝑇 𝑅  − Next, the times of certificate displays is initialized to 𝑛𝑗 = 1, and 𝑡 𝑡 ′′ 𝐻 (𝑒𝑝𝑜𝑐ℎ∥𝑘)⋅𝑡4 𝐶1 = ℎ11 ℎ22 , 𝐶2 = (𝜁 ⋅ 𝑌2𝑠 )𝑡3 ⋅ 𝑢0 2 . 𝑛𝑗 = 𝑛𝑗 + 1 (0 ≤ 𝑛𝑗 < 𝑘) is set for each generation of zero-knowledge 6 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 Fig. 2. System Flowchart. 2. (Challenge.) The scheme uses non-interactive zero-knowledge 2. (Challenge.) Using non-interactive zero-knowledge proof, the proof, where  generates challenge 𝑐: user generates challenge 𝑐: 𝑐 = 𝐻(𝐶1 ∥ 𝐶2 ∥ 𝑌𝑢 ∥  ∥ 𝑠′′ ∥ 𝑘). 𝑐 = 𝐻(𝐴1 ∥ 𝐴2 ∥ 𝐴3 ∥ 𝐴4 ∥ 𝐴5 ∥ 𝑋0 ∥ 𝜁 ′ ∥ 𝜂 ∥ 𝛤 ∥ 𝑇𝑟𝑜𝑜𝑡 ∥ 𝑎𝑢𝑥𝑖 ). 3. (Proof.) The issuer generates proof 𝛱𝑉1 by computing 𝐶1′ = 3. (Proof.)  generates proof 𝛱̃ by computing: 𝑡1 − 𝑐 ⋅ 𝑦1 , 𝐶2′ = 𝑡2 − 𝑐 ⋅ 𝑦2 , 𝐶3′ = 𝑡3 − 𝑐 ⋅ 𝑧1 , 𝐶4′ = 𝑡4 − 𝑐 ⋅ 𝑧0 . The proof 𝛱𝑉1 = (𝑐, 𝐶1′ , 𝐶2′ , 𝐶3′ , 𝐶4′ ),  sends (𝛱𝑉1 , 𝑠′′ , 𝑘) to user. 𝐴′1 = t3 − 𝑐 ⋅ 𝛼0 , 𝐴′2 = t4 − 𝑐 ⋅ 𝑥𝑤 , 𝐴′3 = t5 − 𝑐 ⋅ 𝑠, 𝐶′ 𝐶′ ′′ ′ 𝐴′4 = t6 − 𝑐 ⋅ 𝑡, 𝐴′5 = n7 − 𝑐 ⋅ 𝑛𝑗 , 𝐴′6 = n8 − 𝑐 ⋅ 𝜌1 , 4. (Verify.) computes, C1 = 𝑌𝑢𝑐 ℎ1 1 ℎ2 2 , C2 = 𝑐 (𝜁 ⋅ 𝑌 𝑠 )𝐶3 2 ⋅ 𝐻2 (𝑒𝑝𝑜𝑐ℎ∥𝑘)⋅𝐶4′ ? 𝑢0 , and verify: 𝑐 = 𝐻(C1 ∥ C2 ∥ 𝑌𝑢 ∥ 𝑍 ∥ 𝑘). ∥ 𝑠′′ 𝐴′7 = 𝜚2 − 𝑐 ⋅ 𝑟𝑘, 𝐴′8 = 𝜚1 − 𝑐 ⋅ 𝑛𝑘. If verification passes, then 𝛱𝑉1 is correct, otherwise abort. The proof 𝛱̃ = (𝑐, 𝐴′1 , 𝐴′2 , 𝐴′3 , 𝐴′4 , 𝐴′5 , 𝐴′6 , 𝐴′7 , 𝐴′8 ), and sends ̃ 𝑎𝑢𝑥𝑖 , 𝑋0 , 𝜁 ′ , 𝜂, 𝛤 , 𝑇𝑟𝑜𝑜𝑡 ) to verifier . (𝛱, 5.1.3. Details of 𝑆𝑃 𝐾3 4. (Verify.)  computes: The construction of 𝑆𝑃 𝐾3 includes zero-knowledge proof and range proof. We divide 𝑆𝑃 𝐾3 into two parts 𝑆𝑃 𝐾3𝐴 and 𝑆𝑃 𝐾3𝐵 . The specific 𝐴′ 𝐴′ 𝐴′ ′ A1 = 𝑋0𝑐 𝑔0 1 𝛾 𝐻1 (𝜃) , A2 = 𝜁 ′𝑐 𝑌1 2 𝑌2 3 𝐶𝑚𝐴4 , details are as follows: ( )𝑐 ( ) 𝐴′ 𝐴′ ̃ 𝑢 ′ ′ ⎧ 𝑛𝑘, 𝑟𝑘, 𝛼0 , 𝑥𝑢 , 𝑠, 𝑡, 𝑛𝑗 , 𝜌1 ∶ ⎫ A3 =  𝑐 𝑔1 5 𝑔2 6 , A4 = 𝜂 𝐴7 𝜂 𝐴5 , 𝜂 ⎪ 𝑋0 = 𝑔0 𝛾 1 𝛼0 𝐻 (𝜃) ⎪ ⎪ ′ = 𝑌 𝑥𝑢 𝑌 𝑠 ⋅ 𝐶𝑚𝑡 ⎪ [ 𝑅 ]𝑐 ⎪ ∧ 𝜁 1 2 ⎪( ) 𝑢 ⋅ 𝑢0 ̃ −𝐴 ′ −𝐴 ′ −𝐴 ′ ′ 𝑆𝑃 𝐾3𝐴 ⎨ ∧  = 𝑔 𝑛𝑗 𝑔 𝜌1 ′ ⎬ 𝑎𝑢𝑥𝑖 , 𝑋0 , 𝜁 , 𝜂, 𝛤 , 𝑇𝑟𝑜𝑜𝑡 , A5 = 𝑢0 8 𝑢0 5 𝑢0 2 𝛤 𝐴8′ 𝛤 𝐴5 , 𝛤 ⎪ 𝑢̃ 1 2 𝑟𝑘 𝑛 ⎪ ⎪ ∧ 𝜂 =𝜂 𝜂 𝑗 ⎪ ? ⎪ and verify: 𝑐 = 𝐻(A1 ∥ A2 ∥ A3 ∥ A4 ∥ A5 ∥ 𝑋0 ∥ 𝜁 ′ ∥ 𝜂 ∥ 𝛤 ∥ 𝑢̃ 𝑅 ⋅𝑢0 −𝑛𝑘 𝑢−𝑛𝑗 𝑢−𝑥𝑢 𝛤 𝑛𝑘 𝛤 𝑛𝑗 ⎪ ⎩ ∧ 𝛤 = 𝑢 0 0 0 ⎭ 𝑇𝑟𝑜𝑜𝑡 ∥ 𝑎𝑢𝑥𝑖 ). 𝑛 𝜌 𝑆𝑃 𝐾3𝐵 {(𝑛𝑗 , 𝜌1 ) ∶  = 𝑔1 𝑗 𝑔2 1 ∧ 0 ≤ 𝑛𝑗 < 𝑘}(𝑚). In groups of unknown order, range proofs currently widely recognized SPK3𝐵 is instantiated as a simple range proof, which will be dis- by academia and industry are based on the square decomposition cussed later. Next, we demonstrate how to implement SPK3𝐴 . assumption [43] and 𝑛-ary decomposition [40], which can achieve secure and efficient range proofs. However, we note that the range 1. (Commitment.)  randomly selects 𝜚1 , 𝜚2 , t3 , t4 , t5 , t6 , n7 , n8 ∈𝑅 proofs required in authentication protocols always take the form 0 ≤ Z𝑛𝑞 and computes: 𝑛 < 𝑘. If we set 𝑘 = 2𝜅 , we can easily construct a simple range proof t t t n n with complexity (𝜅), as shown in Eq. (1): 𝐴1 = 𝑔03 𝑦𝐻1 (𝜃) , 𝐴2 = 𝑌1 4 𝑌2 5 𝐶𝑚t6 , 𝐴3 = 𝑔1 7 𝑔2 8 , −𝜚 −n −𝑡 𝑃 𝑂𝐾𝑅𝐴𝑁𝐺𝐸 {(𝑛, 𝑟) ∶ 𝐶𝑛 = 𝑔0𝑛 𝑔1𝑟 ∧ 0 ≤ 𝑛 < 2𝜅 }. (1) 𝐴4 = 𝜂 𝜚2 𝜂 n7 , 𝐴5 = 𝑢0 1 𝑢0 7 𝑢0 4 𝛤 𝜚1 𝛤 n7 . 7 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 In this scheme, we use a Bulletproofs-based instantiation of 𝑆𝑃 𝐾3𝐵 . the adversary 1 forges parameters (𝑐𝑡𝑥∗ , 𝑛𝑘∗ , 𝑟𝑘∗ , 𝐴𝑡𝑡𝑟𝑠∗ ), selects the Here we will briefly describe and provide a detailed proof process. random blind factor 𝑟∗ ∈ Z∗𝑞 , query 1 − 𝑄𝑢𝑒𝑟𝑦, and generates 𝐶𝑚∗ = ∗ Please refer to the Ref. [29,43]. 𝐶𝑜𝑚𝑚𝑖𝑡 (𝑛𝑘∗ , 𝑟𝑘∗ , 𝐴𝑡𝑡𝑟𝑠∗ ; 𝑟∗ ). Next, choose 𝑥∗𝑢 , 𝑠′∗ , 𝑡∗ ← Z∗𝑞 , calculate 𝛱𝑈1 : ∑ ( ∗ ′∗ ∗ ∗ ) 1. (Prove.) First, perform binary decomposition on 𝑛, 𝑛 = 𝑘−1 𝑖 𝑖=0 𝑏𝑖 2 , ⎧ 𝑥𝑢 , 𝑠 , 𝑡 , 𝑟 , 𝑛𝑘∗ , 𝑟𝑘∗ , 𝐴𝑡𝑡𝑟𝑠∗ ∶ ⎫ where 𝑏 ∈ {0, 1}. Construct vector 𝐚𝐿 = (𝑏0 , 𝑏1 , … , 𝑏𝑘−1 ), 𝐚𝑅 = ⎪ 𝑥∗𝑢 𝑠′∗ ⎪ ∗ ⎪ ∗ 𝑋𝑢 = 𝑔1 𝑔2 ⎪( ∗ ∗ ) 𝐚𝐿 −𝟏𝑘 (𝑎𝑅,𝑖 = 𝑏𝑖 −1). Next, choose blind factor 𝛼, 𝜌 ← Z𝑞 , 𝒔𝐿 , 𝒔𝑅 ← 𝛱𝑈1 = 𝑆𝑃 𝐾1∗ ⎨ ( ) ′∗ ⎬ 𝑋𝑢 , 𝜁 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 . ∗ 𝑎 𝑥∗ 𝑏 𝑠 ⋅ 𝐶𝑚∗𝑡∗ Z𝑘𝑞 , compute the initialization commitment 𝐴 = ℎ𝛼 𝒈𝒂𝐿 𝒉𝒂𝑅 , 𝑆 = ⎪ 𝛬 𝜁 (= ( ) 𝑢  ) ⎪ ⎪ 𝛬 𝜄𝑧𝑘 𝐴𝑡𝑡𝑟𝑠∗ , 𝑖𝑎𝑢𝑥𝑧𝑘 = 1 ⎪ ℎ𝜌 𝒈𝒔𝐿 𝒉𝒔𝑅 . Then, construct a non-interactive proof challenge 𝑦 = ⎩ ( ∗ ) ⎭ ( ) ( ) Sending 𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 to the issuer,  checks 𝜄𝑝𝑢𝑏 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 𝐻 𝐴, 𝑆, 𝐶𝑛 , 𝑧 = 𝐻(𝑦, 𝐴, 𝑆) based on Fiat–Shamir and polyno- ( ) 1 ∗ and validates 𝛱𝑈 , aborts if it fails, otherwise it selects a random mials 𝒍(𝑥) = 𝒂𝐿 − 𝑧𝟏𝑘 + 𝒔𝐿 𝑥, 𝒓(𝑥) = 𝑦𝑘 ◦ 𝒂𝑅 + 𝑧𝟏𝑘 + 𝒔𝑅 𝑥, calculate the inner product 𝑡 = ⟨𝒍(𝑥), 𝒓(𝑥)⟩, 𝜏𝑥 ← Z𝑝 , 𝑇 = 𝑔 𝑡 ℎ𝜏𝑥 . The final number 𝑠′′∗ ∈ Z∗𝑞 and performs 2 − 𝑄𝑢𝑒𝑟𝑦. Embed tuple  = (, 𝑎 , 𝑏 ), ′′∗ ∗ challenge is 𝑥 = 𝐻(𝑧, 𝑦, 𝑇 ), generate response 𝒍 = 𝒍(𝑥), 𝒓 = register 𝑐𝑟𝑒𝑑 ∗ ∶= (𝜁 ∗ ⋅ (𝑏 )𝑠 ) ⋅ 𝑢𝑤 0 , generate the forged Merkle tree 𝑇 ∗ , update the root node to 𝑇𝑟𝑜𝑜𝑡 ∗ , select 𝑧∗ , 𝑧∗ ← Z∗ , Calculate 𝒓(𝑥), 𝑡̂ = ⟨𝒍, 𝒓⟩, 𝜏 = 𝜏𝑥 + 𝑥2 𝜌, 𝜇 = 𝛼 + 𝑥𝜌. Finally output the proof { 0 1 𝑞 } 𝜋 = (𝐴, 𝑆, 𝑇 , 𝑡̂, 𝜏, 𝜇, 𝒍, 𝒓). ∗ ( ∗ ∗ ) ∗ ∗ 𝑤∗ ⋅𝑧∗ 𝛱𝑉1 = 𝑆𝑃 𝐾2∗ 𝑧0 , 𝑧1 , 𝑎, 𝑏 ∶ 𝑌𝑢∗ = 𝑎 𝑏 ∧ ∗ = (𝜁 ∗ ⋅ (𝑏 )𝑠′′ )𝑧1 ⋅ 𝑢0 0 2. (Verify.) Upon receiving the commitment 𝐶𝑛 , proof 𝜋, recal- ( ) ∗ (𝑌𝑢∗ , 𝑠′′∗ , 𝑘∗ , ∗ ), send (𝛱𝑉1 , 𝑠′′∗ , 𝑘∗ , 𝜃 ∗ ) to adversary 1 , 1 calculate culate the challenge 𝑦 = 𝐻 𝐴, 𝑆, 𝐶𝑛 , 𝑧 = 𝐻(𝑦, 𝐴, 𝑆), 𝑥 = ⟨ ⟩ 𝑠∗ = 𝑠′∗ + 𝑠′′∗ and save to local. 𝐻(𝑧, 𝑦, 𝑇 ). Next, compute offset value 𝛿𝑦 = 𝑦𝑘 , 𝑧𝟏𝑘 + 𝑧2 2𝑘 , and 𝑘 ( )𝑧𝟏 𝑘 +𝑧2 2𝑘 𝑄𝑢𝑒𝑟𝑦3 : In this phase 1 to show the proof, using zero knowledge reconstruct the commitment 𝑃 = 𝐴 ⋅ 𝑆 𝑥 ⋅ ℎ−𝜇 ⋅ 𝒈𝑧𝟏 ⋅ 𝒉′ , ? 2 simulator , run algorithm 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑 forged 𝑡𝑜𝑘𝑒𝑛∗ and 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤 where 𝒉′ = 𝒉◦𝑦𝑘 . Then, verify inner product 𝑔 𝑡̂ℎ𝜏 = 𝑇 ⋅ 𝐶𝑛𝑍 ⋅ 𝑔 𝛿𝑦 . interact. Adversary 1 forges the message 𝑚𝑠𝑔 ∗ requesting access to If passed, accept, otherwise, reject. .  selects 𝑛𝑜𝑛𝑐𝑒∗ , conducts 3 − 𝑄𝑢𝑒𝑟𝑦 query, calculates 𝑟∗ , and returns it to adversary 1 . Adversary 3 − 𝑄𝑢𝑒𝑟𝑦 hash verification, 5.2. Theoretical security analysis if by selecting public attribute 𝑎𝑡𝑡𝑟∗𝑖 ∈ 𝐴𝑇 ∗ ( 𝑇 𝑅 , the secret attribute )is 𝑎𝑡𝑡𝑟∗𝑗 ∉ 𝐴𝑇 𝑇 𝑅∗ , calculate 𝐶𝑚∗ = Commit 𝑛𝑘∗ , 𝑟𝑘∗ , 𝑎𝑡𝑡𝑟∗𝑗 ∉ 𝐴𝑇 𝑇 𝑅∗ ; 𝑟∗ , 5.2.1. Proof of Game1 ( ) select 𝑛∗𝑗 0 ≤ 𝑛∗𝑗 < 𝑘∗ , 𝛼0∗ ← Z∗𝑞 , generate 𝛱 ̃ ∗ , send { } 𝑖=𝑛 ( ) Theorem 1. The scheme is unforgeable if the DLP and DDH assumptions ̃ ∗ , 𝑎𝑢𝑥𝑖 (𝛱 ∗ , 𝜃 ∗ , 𝑇𝑟𝑜𝑜𝑡 , 𝛷′ , 𝑎𝑡𝑡𝑟∗𝑖 ∈ 𝐴𝑇 𝑇 𝑅∗ ) to . 𝑖=1 hold. Forgery. Adversary 1 outputs the forged certificate 𝑐𝑟𝑒𝑑 ∗ and the corresponding authentication path 𝜃 ∗ , which meets the condition that Proof. Suppose that the adversary 1 forges the credential with the 𝑐𝑟𝑒𝑑 ∗ was not generated through legal issuance.  running )algorithm ( ( ) { } non-negligible probability 𝜖, we construct reduction algorithm  to VerifyShow, 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤 𝑝𝑝, 𝑉 , 𝑐𝑟𝑒𝑑 ∗ , 𝑇𝑟𝑜𝑜𝑡 ∗ ̃ ∗ , 𝑎𝑢𝑥𝑖 𝑖=𝑖 = 1. ,𝛱 𝑖=1 solve the DLP or CDH problem with the non-negligible advantage Then, requery 3 by rewinding technique to obtain 𝑟∗ , modify the 𝜖 − 𝑛𝑒𝑔𝑙. The reduction algorithm  embeds the group parameter tuple new challenge to 𝑐 ≠( 𝑐 ′ , compute the response and output ̃ ′∗ ) 𝛱 to  = (, 𝑎 , 𝑏 ) into the problem instance,  can control and program extract witness 𝑤∗ = 𝑥∗𝑢 , 𝑠∗ , 𝑡∗ , 𝑟∗ , 𝑛𝑘∗ , 𝑟𝑘∗ , 𝑎𝑡𝑡𝑟∗𝑗 ∉ 𝐴𝑇 𝑇 𝑅∗ , separate the random oracle, and simulates the whole system: ∗ ∗ ∗ ∗ ∗ ∗ Setup. Challenger 1 run system initialization algorithm from the witness 𝜁 ′∗ = (𝑎 )𝑥𝑢 (𝑏 )𝑠 ⋅ 𝐶𝑚∗𝑡 = (𝑎𝑏 )𝑥𝑢 ⋅𝑠 ⋅ 𝐶𝑚∗𝑡 . According 𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1ℎ , 1𝑚 ) generate 𝑝𝑝, send 𝑝𝑝 to simulator . 1 save issuer to the above proof, if the forgery credential 𝑐𝑟𝑒𝑑 ∗ and the corresponding private key 𝑖𝑠𝑘 = (𝑦1 , 𝑦2 ). authentication path 𝜃 ∗ make it difficult to compute 𝑎𝑏 on G, the Query. In this phase, 1 query random Oracle − 𝑄𝑢𝑒𝑟𝑦, 𝑄𝑢𝑒𝑟𝑦2 , probability that adversary 1 will successfully forge a credential for the and 𝑄𝑢𝑒𝑟𝑦3 , 1 random response and recording. first time is 𝜖, and the probability of a single retry is about 𝜖 2 . By the − 𝑄𝑢𝑒𝑟𝑦: The adversary 1 can query the random oracle 1 , 2 , 3 . universal bifurcation Lemma, since adversary 1 performs 𝑞𝐻3 queries. Before any hash query,  will prepare three empty hash lists 1,2,3 , The probability of success is 𝜖 2 ∕𝑞𝐻3 , then the advantage of simulator and define the query number size as 𝑞𝐻1 , 𝑞𝐻2 , 𝑞𝐻3 to record the query to break CDH hard problem successfully is 𝜖 2 ∕𝑞𝐻3 − 𝑛𝑒𝑔𝑙. response. [ ] 1 − 𝑄𝑢𝑒𝑟𝑦: Before 1 query,  randomly selected 𝑖∗1 ∈ 1, 𝑞𝐻1 , the 5.2.2. Proof of Game2 input attribute 𝑎𝑡𝑡𝑟𝑖 ,  record of all the queries in the list 1 , and make a response. If 𝑖 = 𝑖∗1 ,  return values in the list, otherwise  generated Theorem 2. The Scheme is anonymity and unlinkability if the CDH 1 (𝑎𝑡𝑡𝑟𝑖 ), records (𝑖, 𝑎𝑡𝑡𝑟𝑖 , 1 (𝑎𝑡𝑡𝑟𝑖 )) in 1 . assumption hold. [ ] 2 − 𝑄𝑢𝑒𝑟𝑦: Before the 2 query,  randomly selects 𝑖∗2 ∈ 1, 𝑞𝐻2 , Proof. Suppose that the adversary 2 distinguishes credentials with after entering each user time period 𝑒𝑝𝑜𝑐ℎ𝑖 , and the maximum number a non-negligible advantage 𝜖, and construct a reduction algorithm  of credentials to be initialized 𝑘𝑖 ,  records all queries in the list 2 , to solve the DDH problem with a non-negligible advantage 𝜖 − 𝑛𝑒𝑔𝑙. and responds. If 𝑖 = 𝑖∗2 ,  returns the value in the list, otherwise  generates 2 (𝑒𝑝𝑜𝑐ℎ ∥ 𝑘) with the following Eq. (2): The reduction algorithm  embedded the group parameter tuple  = { (, 𝑎 , 𝑏 , 𝑐 ) into the DDH problem instance, and the adversary 2 ( ) 𝑤∗ , 𝑖 = 𝑖∗2 determined whether 𝑐 = 𝑎𝑏 or random, and simulated the whole 2 𝑒𝑝𝑜𝑐ℎ𝑖 ∥ 𝑘𝑖 = . (2) 𝑤 , otherwise process: ( (𝑖 ) ( )) Then,  record 𝑖, epoch 𝑖 ∥ 𝑘𝑖 , 2 𝑒𝑝𝑜𝑐ℎ𝑖 ∥ 𝑘𝑖 in the [ list ]2 . Setup. Same with the initialization of Game 1. ∗ 3 −𝑄𝑢𝑒𝑟𝑦: Before 3 queries,  randomly selected 𝑖3 ∈ 1, 𝑞𝐻3 , the Query. Adversary 2 can continue to query issuance and show, but input random 𝑛𝑜𝑛𝑐𝑒𝑖 and message 𝑚𝑠𝑔𝑖 ,  record of all the queries in cannot query revocation or presentation of challenge credentials. At the the list 3 , and respond. If 𝑖 = 𝑖∗3 ,  return values in the list, otherwise same time also can query 1 − 𝑄𝑢𝑒𝑟𝑦.  generated 2 (𝑛𝑜𝑛𝑐𝑒 ∥ 𝑚𝑠𝑔) in the following Eq. (3): Challenge. Adversary 2 submits two attribute sets 𝐴𝑡𝑡𝑟𝑠∗0 and { 𝐴𝑡𝑡𝑟𝑠∗1 , that satisfy the same access policy to challenger 2 . Since the ( ) 𝑟∗ , 𝑖 = 𝑖∗3 2 𝑛𝑜𝑛𝑐𝑒𝑖 ∥ 𝑚𝑠𝑔𝑖 = . (3) parameter related to the attribute set in zero-knowledge is 𝜁 ′ . The 𝑟𝑖 , otherwise challenger 2 calls the simulator  to simulate the SPK and prove ( ( ) ( )) Then,  record 𝑖, 𝑛𝑜𝑛𝑐𝑒𝑖 ∥ 𝑚𝑠𝑔𝑖 , 2 𝑛𝑜𝑛𝑐𝑒𝑖 ∥ 𝑚𝑠𝑔𝑖 in the list 3 , the embedding group parameter tuple  = (, 𝑎 , 𝑏 , 𝑐 ), randomly where oracle 2 and 3 share a hash function. 𝑄𝑢𝑒𝑟𝑦2 : In this phase, select 𝑎, 𝑏 ← Z∗𝑞 , and calculate 𝜁1′∗ . Select 𝑐 ← Z∗𝑞 calculate 𝜁2′∗ . Next, 8 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 Table 3 Average times of cryptographic and Merkle tree operations. Symbol Definition secp256k1 (128-bit security) BLS12-381 (128-bit security) 100 s/Leaves 1000 s/Leaves 100 s/Leaves 1000 s/Leaves 𝑇𝑏𝑝 Bilinear pairing operation time – – 0.9162 ms 0.9466 ms 𝑇ℎ Hash computation time 0.0003 ms 0.0000 ms 0.0001 ms 0.0000 ms 𝑇𝑒𝑝 Exponentiation time in group G 0.0211 ms 0.0314 ms 0.2606 ms 0.2677 ms G1 :0.3958 ms G1 :0.2686 ms 𝑇𝑚𝑝−𝑒𝑐 Elliptic curve point multiplication time 0.0254 ms 0.0234 ms G2 :0.8140 ms G2 :0.8009 ms G1 :0.0007 ms G1 :0.0006 ms 𝑇𝑎𝑑𝑑−𝑒𝑐 Elliptic curve point addition time 0.0462 ms 0.0530 ms G2 :0.0018 ms G2 :0.0018 ms 𝑇𝜅𝐺 Generation algorithm of tree 𝑇𝜅 0.0025 ms 0.0024 ms 0.0029 ms 0.0023 ms 𝑇𝜅𝑉 Verification algorithm of tree 𝑇𝜅 0.0004 ms 0.0002 ms 0.0020 ms 0.0002 ms 𝑇𝜅𝑈 Update algorithm of tree 𝑇𝜅 0.0002 ms 0.0002 ms 0.0003 ms 0.0003 ms Table 4 Computation and communication cost analysis. Algorithms Parameter Phase Computation cost Communication cost 𝑆𝑒𝑡𝑢𝑝 𝑝𝑝 – 2𝑇𝑒𝑝 (13 + 𝑚)|G| 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 (𝐼, 𝜄𝑝𝑢𝑏 ) – – – 𝑆ℎ𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 𝑉 – – – 𝐶𝑚 – (3 + 𝑚)𝑇𝑒𝑝 + 𝑚𝑇ℎ + 3𝑇𝑚𝑝−𝑒𝑐 |G| 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞𝑈 Proof (16 + 𝑚)𝑇𝑒𝑝 + 3𝑇𝑚𝑝−𝑒𝑐 2|G| + 5|Z𝑞 | 𝛱𝑈1 Verify 7𝑇𝑒𝑝 – 𝑐𝑟𝑒𝑑 – 1𝑇𝑒𝑝 + 2𝑇𝑚𝑝−𝑒𝑐 + 1𝑇ℎ – 𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 𝑇𝜅 – 𝑇𝜅𝐺 – Proof 8𝑇𝑒𝑝 + 1𝑇ℎ + 3𝑇𝑚𝑝−𝑒𝑐 2|G| + 6|Z𝑞 | 𝛱𝑉1 Verify 6𝑇𝑒𝑝 – 𝛱̃ Proof 25𝑇𝑒𝑝 5|G| + 7|Z𝑞 | 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑𝑈 {𝑎𝑢𝑥𝑖 }𝑛𝑖=1 – – i|Z𝑞 | 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤𝑉 – Verify 26𝑇𝑒𝑝 + 𝑇𝜅𝑉 – 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑 𝑇𝜅′ – 𝑇𝜅𝑈 – Note*: i is the number of access criteria defined per verifier. simulator  selects 𝑏 ← ( {0, 1}, and uses 𝐴𝑡𝑡𝑟𝑠𝑏 ∗ to generate the cre- ) 6.2. Algorithm computation and communication cost analysis { } ( ) dential display 𝛱̃ 𝑏 . Send 𝛱 ̃ 𝑏 , 𝑎𝑢𝑥𝑖 𝑖=𝑖 , 𝜃, 𝑇𝑟𝑜𝑜𝑡 , 𝛷′ , 𝑎𝑡𝑡𝑟𝑖 ∈ 𝐴𝑇 𝑇 𝑅 𝑖=1 to adversary 2 . Table 4 shows the computational cost and communication cost Guess. 2 guesses 𝑏′ from the output 𝛱 ̃ 𝑏 , and the advantage is of the proposed algorithm in the scheme. The algorithm includes | [ ] | defined as: |Pr 𝑏′ = 𝑏 − 12 |. 8 algorithms as follows. 𝑆𝑒𝑡𝑢𝑝, 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 , 𝑆ℎ𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 , 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞𝑈 , | | 𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 , 𝑆ℎ𝑜𝑤𝐶𝑟𝑒𝑑𝑈 , According to the above proof, if two attribute sets satisfying the 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆ℎ𝑜𝑤𝑉 and 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑. The computational cost increases same access policy are (submitted 𝐴𝑡𝑡𝑟𝑠∗0 , 𝐴𝑡𝑡𝑟𝑠 ∗ ̃ ) 1 . It( is difficult for 𝛱)𝑏 linearly with the number of attributes 𝑚. We compared the single user to distinguish between 𝑎 , 𝑏 , 𝑎⋅𝑛𝑘+𝑏⋅𝑟𝑘+𝑎𝑏⋅𝑟 and 𝑎 , 𝑏 , 𝑎⋅𝑛𝑘+𝑏⋅𝑟𝑘+𝑐⋅𝑟 in Table 4 cases for each verifier ℶ access criteria general computation on G, then adversary 2 succeeds in distinguishing credentials with and communication costs. Respectively, (94 + 2 𝑚)𝑇𝑒𝑝 + (𝑚 + 2)𝑇ℎ + non-negligible probability 𝜖∕𝑞𝐻1 . Then the advantage of the simulator 11𝑇𝑚𝑝−𝑒𝑐 + 𝑇𝜅𝐺 + 𝑇𝜅𝑉 and (22 + 𝑚)|G| + (18 + ℶ)|Z𝑞 |. The cost of a single  to break the DDH hard problem successfully is 𝜖∕𝑞𝐻1 − 𝑛𝑒𝑔𝑙. algorithm is shown in Table 4 below: Note that even if the underlying Merkle path remains the same for repeated authentications, the simulator ensures that each creden- 6.3. Computation and communication cost comparison tial presentation is randomized. Therefore, the adversary’s advantage does not increase by observing identical path values, which remain In Table 1 of Section 2, we have compared the functions of the ex- computationally indistinguishable across sessions. isting schemes [19,29–31,33–35]. The scheme [32–34] satisfies the 𝑘- times period anonymous authentication function. Since the scheme [32] Theorem 3. The Scheme is attribute Privacy if the CDH assumption hold. is constructed based on bilinear pairing. Here, we compare the scheme Similar anonymity, but in view of the properties rather than identity. [33,34] with the proposed scheme in the computation cost processes of 6. Performance analysis issuance, show and verification. Using the lightweight curve secp256k1 environment, as shown in Table 5 and Fig. 3. In Table 1, the scheme 6.1. Experimental setup [33] does not support the attribute selection disclosure function and does not increase with the increase of the number of attributes 𝑚. The scheme is based on AMD Ryzen9 7945HX processor, Rust 1.75 Therefore, the data results in Fig. 3 show that our scheme is better and Ubuntu 22.04 LTS environment, and the error is controlled within than the scheme [33] when the number of attributes 𝑚 is small. 5%. The test program is written in 𝑅𝑢𝑠𝑡 and performs benchmark Throughout the entire process, the overall performance was superior evaluations on SHA-256 hacks, elliptic curve operations, and Merkle to the scheme [34]. Finally, the data results show that our scheme tree operations with the 128-bit security secp256k1, BLS12-381, and is superior to the existing schemes under the condition of similar sha2 libraries. The experiment measured the average time of 100 and functions. 1000 operations (as shown in Table 3). All tests were compiled based In addition to the above experimental comparison, we also added on –release optimization to ensure accurate and reliable performance the proposed scheme to test the computational overhead under two results. different curve environments, BLS12-381 supporting bilinear pairing 9 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 Table 5 Computation cost comparison. Scheme Computation cost (ms) Credential issuance Certificate showing Authentication credentials [33] 15𝑇𝑒𝑝 + 10𝑇𝑚𝑝−𝑒𝑐 + 2𝑇𝑎𝑑𝑑−𝑒𝑐 31𝑇𝑒𝑝 + 6𝑇𝑚𝑝−𝑒𝑐 + 𝑇ℎ 20𝑇𝑒𝑝 + 9𝑇𝑚𝑝−𝑒𝑐 + 𝑇ℎ [34] (5 𝑚 + 40)𝑇𝑒𝑝 + (3 𝑚 + 4)𝑇ℎ (𝑚 + 22)𝑇𝑒𝑝 + 𝑇ℎ (𝑚 + 23)𝑇𝑒𝑝 Our Scheme (𝑚 + 35)𝑇𝑒𝑝 + (𝑚 + 2)𝑇ℎ + 11𝑇𝑚𝑝−𝑒𝑐 + 𝑇𝜅𝐺 (16 + 𝑚)𝑇𝑒𝑝 + 𝑚𝑇ℎ 19𝑇𝑒𝑝 + 𝑇ℎ + 𝑇𝜅𝑉 (a) (b) (c) (d) Fig. 3. Computation cost comparison. Fig. 4. Computation cost comparison of different curves. Fig. 5. Communication cost comparison. and lightweight curve secp256k1, as shown in Fig. 4. The exper- 7. Conclusion imental results show that the scheme has more advantages under lightweight curve. It is suggested to apply the proposed scheme under In this paper, we propose a 𝑘-times periodic anonymous authen- curve secp256k1. tication that does not require the issuer to hold a key and supports Finally, the communication cost of the existing scheme [33,34] is the access criteria. Compared with other existing 𝑘-Times periodic compared and calculated based on the size of the data to be transmitted anonymous authentication schemes, the proposed scheme not only has during the anonymous certificate display process. We test the commu- lower computational cost, but also eliminates the need for the issuer to nication efficiency on curve secp256k1, where the group element and hold the issuing information or the user key, and only needs to upload integer size of curve secp256k1 are |G| = 264𝑏𝑖𝑡𝑠 = 33𝑏𝑦𝑡𝑒𝑠, |Z𝑞 | = 256𝑏𝑖𝑡𝑠 = 32𝑏𝑦𝑡𝑒𝑠, respectively. In the test, it is assumed that the the root path of the Merkle tree to the blockchain or public panel, which access criterion ℶ is 1, and the number of user attributes is 1. The ensures that the subsequent authentication can still be carried out even communication costs of the schemes [33,34] are respectively 8|G| + in the case of the failure of the issuing center. In terms of security, 11|Z𝑞 |, and (𝑚 + 14)|G| + 8|Z𝑞 |. The parameters that our scheme needs it satisfies a series of DAC security properties, including anonymity, to transmit for presentation are (𝛱, ̃ {𝑎𝑢𝑥𝑖 }𝑛 , 𝑋0 , 𝜁 ′ , 𝜂, 𝛤 , 𝜃), where 𝛱̃ = unlinkability, unforgeability and attribute privacy. The limitation of 𝑖=1 (𝑐, 𝐴′1 , 𝐴′2 , 𝐴′3 , 𝐴′4 , 𝐴′5 , 𝐴′6 , 𝐴′7 , 𝐴′8 ). Therefore, the total communication current schemes is that they rely on classical cryptography, which cost during the transmission process is 4|G| + (9 + ℶ)|Z𝑞 |. As shown cannot resist quantum computing attacks. To address this challenge, in Fig. 5. we plan to integrate quantum-resistant cryptographic frameworks, such 10 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 as lattice-based signature, coding cryptography, or multivariate poly- [14] C. Garman, M. Green, I. Miers, Decentralized anonymous credentials, in: Proceed- nomial encryption in future research to construct periodic 𝑘-times ings of the 21st NDSS, 2014, URL: https://www.ndss-symposium.org/ndss2014/ authentication schemes with post-quantum security. decentralized-anonymous-credentials. [15] D. Derler, C. Hanser, D. Slamanig, A new approach to efficient revocable attribute-based anonymous credentials, in: Cryptography and Coding, 2015, pp. CRediT authorship contribution statement 57–74. [16] T. Bui, T. Aura, Application of public ledgers to revocation in distributed access Hongyan Di: Writing – original draft, Methodology, Formal analy- control, in: Information and Communications Security, 2018, pp. 781–792. [17] A. Sonnino, M. Al-Bassam, S. Bano, S. Meiklejohn, G. Danezis, Coconut: Thresh- sis, Data curation, Conceptualization. Yinghui Zhang: Writing – review old issuance selective disclosure credentials with applications to distributed & editing, Supervision, Project administration, Methodology, Funding ledgers, in: 26th Annual Network and Distributed System Security Symposium, acquisition. Ziqi Zhang: Writing – original draft, Formal analysis, Data NDSS, 2019, URL: https://arxiv.org/pdf/1802.07344. curation. Yibo Pang: Project administration, Formal analysis, Data [18] H. Halpin, Nym credentials: Privacy-preserving decentralized identity with curation. Rui Guo: Writing – original draft, Methodology, Formal anal- blockchains, in: 2020 Crypto Valley Conference on Blockchain Technology, ysis. Yangguang Tian: Writing – original draft, Project administration, CVCBT, 2020, pp. 56–67, http://dx.doi.org/10.1109/CVCBT50464.2020.00010. [19] H. Cui, M. Whitty, A. Miyaji, Z. Li, A blockchain-based digital identity manage- Methodology, Funding acquisition. ment system via decentralized anonymous credentials, in: Proceedings of the 6th ACM International Symposium on Blockchain and Secure Critical Infrastructure, Declaration of competing interest 2025, pp. 1–11, http://dx.doi.org/10.1145/3659463.3660027. [20] C. Lin, D. He, H. Zhang, L. Shao, X. Huang, Privacy-enhancing decentralized anonymous credential in smart grids, Comput. Stand. Interfaces 75 (2021) The authors declare that they have no known competing finan- 103505, http://dx.doi.org/10.1016/j.csi.2020.103505. cial interests or personal relationships that could have appeared to [21] Z. Ma, J. Zhang, Y. Guo, Y. Liu, X. Liu, W. He, An efficient decentralized key influence the work reported in this paper. management mechanism for VANET with blockchain, IEEE Trans. Veh. Technol. 69 (2020) 5836–5849, http://dx.doi.org/10.1109/TVT.2020.2972923. Data availability [22] J. Zhang, J. Cui, H. Zhong, I. Bolodurina, L. Liu, Intelligent drone-assisted anonymous authentication and key agreement for 5G/B5G vehicular ad-hoc networks, IEEE Trans. Netw. Sci. Eng. 8 (2021) 2982–2994, http://dx.doi.org/ Data will be made available on request. 10.1109/TNSE.2020.3029784. [23] D. Liu, H. Wu, C. Huang, J. Ni, X. Shen, Blockchain-based credential management for anonymous authentication in SAGVN, IEEE J. Sel. Areas Commun. 40 (2022) References 3104–3116, http://dx.doi.org/10.1109/JSAC.2022.3196091. [24] D. Liu, H. Wu, J. Ni, X. Shen, Efficient and anonymous authentication with [1] K.Y. Lam, C.H. Chi, Identity in the internet-of-things (IoT): New challenges and succinct multi-subscription credential in SAGVN, IEEE Trans. Intell. Transp. Syst. opportunities, in: Information and Communications Security, 2016, pp. 18–26. 23 (2022) 2863–2873, http://dx.doi.org/10.1109/TITS.2022.3147354. [2] K. Shafique, B.A. Khawaja, F. Sabir, S. Qazi, M. Mustaqim, Internet of things [25] L. Wei, Y. Zhang, J. Cui, H. Zhong, I. Bolodurina, D. He, A threshold-based full- (IoT) for next-generation smart systems: A review of current challenges, future decentralized authentication and key agreement scheme for VANETs powered trends and prospects for emerging 5G-IoT scenarios, IEEE Access 8 (2020) by consortium blockchain, IEEE Trans. Mob. Comput. 23 (2024) 12505–12521, 23022–23040, http://dx.doi.org/10.1109/ACCESS.2020.2970118. http://dx.doi.org/10.1109/TMC.2024.3412106. [3] L. Ante, C. Fischer, E. Strehle, A bibliometric review of research on digital [26] M. Zeng, J. Cui, Q. Zhang, H. Zhong, D. He, Efficient revocable cross-domain identity: Research streams, influential works and future research paths, J. Manuf. anonymous authentication scheme for IIoT, IEEE Trans. Inf. Forensics Secur. 20 Syst. 62 (2022) 523–538, http://dx.doi.org/10.1016/j.jmsy.2022.01.005. (2025) 996–1010, http://dx.doi.org/10.1109/TIFS.2024.3523198. [4] M.A. Olivero, A. Bertolino, F.J.D. Mayo, M.J.E. Cuaresma, I. Matteucci, Digital [27] I. Teranishi, J. Furukawa, K. Sako, K-times anonymous authentication (extended persona portrayal: Identifying pluridentity vulnerabilities in digital life, J. Inf. abstract), in: Advances in Cryptology - ASIACRYPT 2004, 2004, pp. 308–322. Secur. Appl. 52 (2020) 102492, URL: https://api.semanticscholar.org/CorpusID: [28] L. Nguyen, R. Safavi-Naini, Dynamic k-times anonymous authentication, in: 215881538. Applied Cryptography and Network Security, 2005, pp. 318–333. [29] M.H. Au, W. Susilo, Y. Mu, Constant-size dynamic k-TAA, in: Security and [5] M.S. Ferdous, F. Chowdhury, M.O. Alassafi, In search of self-sovereign identity Cryptography for Networks, 2006, pp. 111–125. leveraging blockchain technology, IEEE Access 7 (2019) 103059–103079, http: [30] U. Chaterjee, D. Mukhopadhyay, R.S. Chakraborty, 3PAA: A private PUF protocol //dx.doi.org/10.1109/ACCESS.2019.2931173. for anonymous authentication, IEEE Trans. Inf. Forensics Secur. 16 (2021) [6] A. Shabtai, Y. Elovici, L. Rokach, List of data breaches and cyber attacks in 2023. 756–769, http://dx.doi.org/10.1109/TIFS.2020.3021917. Media report. IT governance, 2023, URL: https://www.itgovernance.co.uk/blog/ [31] J. Huang, W. Susilo, F. Guo, G. Wu, Z. Zhao, Q. Huang, An anonymous list-of-data-breaches-andcyber-attacks-in-2023. authentication system for pay-as-you-go cloud computing∗ *, IEEE Trans. Depend- [7] P.C. Bartolomeu, E. Vieira, S.M. Hosseini, J. Ferreira, Self-sovereign identity: able Secur. Comput. 19 (2) (2022) 1280–1291, http://dx.doi.org/10.1109/TDSC. Use-cases, technologies, and challenges for industrial IoT, in: 2019 24th IEEE 2020.3007633. International Conference on Emerging Technologies and Factory Automation, [32] J. Camenisch, S. Hohenberger, M. Kohlweiss, A. Lysyanskaya, M. Meyerovich, ETFA, 2019, pp. 1173–1180, http://dx.doi.org/10.1109/ETFA.2019.8869262. How to win the clonewars: efficient periodic n-times anonymous authentication, [8] European Union, Regulation (EU) 2016/679 of the European parliament and of in: Proceedings of the 13th ACM Conference on Computer and Communications the council of 27 april 2016 on the protection of natural persons with regard Security, 2006, pp. 201–210, http://dx.doi.org/10.1145/1180405.1180431. to the processing of personal data and on the free movement of such data, [33] B. Lian, G. Chen, M. Ma, J. Li, Periodic 𝐾 -times anonymous authentication with and repealing directive 95/46/EC (general data protection regulation), 2016, efficient revocation of violator’s credential, IEEE Trans. Inf. Forensics Secur. 10 [Online] Available: URL: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng. (3) (2015) 543–557, http://dx.doi.org/10.1109/TIFS.2014.2386658. [9] A. Mühle, A. Grüner, T. Gayvoronskaya, C. Meinel, A survey on essential [34] Y. Yang, W. Xue, J. Sun, G. Yang, Y. Li, H. Hwa Pang, R.H. Deng, PkT- components of a self-sovereign identity, Comput. Sci. Rev. 30 (2018) 80–86, SIN: A secure communication protocol for space information networks with http://dx.doi.org/10.1016/j.cosrev.2018.10.002. periodic k-time anonymous authentication, IEEE Trans. Inf. Forensics Secur. [10] European Union, Regulation (EU) 2024/1183 of the European parliament and (2024) 6097–6112, http://dx.doi.org/10.1109/TIFS.2024.3409070. of the council of 5 June 2024 on European digital identity wallets, 2024, URL: [35] C. Wiraatmaja, S. Kasahara, Scalable anonymous authentication scheme based https://eur-lex.europa.eu/eli/reg/2024/1183/oj. (Accessed 13 October 2024). on zero-knowledge set-membership proof, Distrib. Ledger Technol. 4 (2025) [11] D. Chaum, Security without identification: transaction systems to make big http://dx.doi.org/10.1145/3676285. brother obsolete, Commun. ACM 28 (1985) 1030–1044, http://dx.doi.org/10. [36] R. Canetti, Y. Chen, J. Holmgren, A. Lombardi, G.N. Rothblum, R.D. Rothblum, 1145/4372.4373. D. Wichs, Fiat-Shamir: from practice to theory, 2019, http://dx.doi.org/10.1145/ [12] D. Chaum, Showing credentials without identification. Signatures transferred 3313276.3316380. between unconditionally unlinkable pseudonyms, in: Proc. of a Workshop on [37] J. Camenisch, M. Stadler, Efficient group signature schemes for large groups, in: the Theory and Application of Cryptographic Techniques on Advances in Advances in Cryptology — CRYPTO ’97, 1997, pp. 410–424. Cryptology—EUROCRYPT ’85, 1986, pp. 241–244. [38] M. Rosenberg, J. White, C. Garman, I. Miers, zk-creds: Flexible anonymous [13] J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anony- credentials from zkSNARKs and existing identity infrastructure, in: 2023 IEEE mous credentials with optional anonymity revocation, in: Advances in Cryptology Symposium on Security and Privacy, SP, 2023, pp. 790–808, http://dx.doi.org/ — EUROCRYPT 2001, 2001, pp. 93–118. 10.1109/SP46215.2023.10179430. 11 H. Di et al. Computer Standards & Interfaces 97 (2026) 104097 [39] Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and Yibo Pang received the B.S. degree in Information Security keys, 2004, URL: https://eprint.iacr.org/2004/310. Cryptology ePrint Archive, from the School of Cyberspace Security, Xi’an University of Paper 2004/310. Posts and Telecommunications, Xi’an, China, in 2020, and [40] J. Groth, On the size of pairing-based non-interactive arguments, in: Advances the M.S. degree in Cyberspace Security from the School of in Cryptology – EUROCRYPT 2016, 2016, pp. 305–326. Cyberspace Security, Xi’an University of Posts and Telecom- [41] V. Shoup, Sequences of games: a tool for taming complexity in security proofs, munications, Xi’an, China, in 2023. He is currently pursuing IACR Cryptol. EPrint Arch. (2004) 332, URL: http://eprint.iacr.org/2004/332. a PhD at Xi’an University of Posts and Telecommunica- [42] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing tions. His research interests include multimedia security and efficient protocols, in: Proceedings of the 1st ACM Conference on Computer and privacy. Communications Security, 1993, pp. 62–73, http://dx.doi.org/10.1145/168588. 168596. [43] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, G. Maxwell, Bulletproofs: Short proofs for confidential transactions and more, in: 2018 IEEE Symposium Rui Guo is an associate professor and master’s supervisor at on Security and Privacy, SP, 2018, pp. 315–334, http://dx.doi.org/10.1109/SP. Xi’an ’an University of Posts and Telecommunications. He 2018.00020. has presided over a total of 9 scientific research projects, including those funded by the National Natural Science Foundation of China, the Key Research and Development Hongyan Di is currently studying for a master’s degree in Program of Shaanxi Province, and the Basic Research Pro- Cyberspace and Information Security from Xi’an University gram of Shaanxi Province. As a major participant, he has of Posts and Telecommunications. Her research interests participated in and completed more than 10 projects, such include cross-domain authentication and digital signature as the National Key Research and Development Plan and the security. National Natural Science Foundation of China. As the first author, I have published over 20 academic papers, among which 12 are indexed by SCI (including 1 TOP 1% ESI highly cited paper). Dr. Yangguang Tian received his Ph.D. degree in applied Yinghui Zhang received his Ph.D. degree in Cryptography cryptography from the University of Wollongong, Australia. from Xidian University, China, in 2013. He is a professor After Ph.D., he did post-docs at School of Information at School of Cyberspace Security, National Engineering System, Singapore Management University, and iTrust, Sin- Research Center for Secured Wireless (NERCSW), Xi’an gapore University of Technology and Design. Before Surrey, University of Posts & Telecommunications. He was a re- he was a research-based assistant professor at Osaka Uni- search fellow at School of Information System, Singapore versity, Japan. He is currently a lecturer at the University Management University. He has published over 100 research of Surrey, UK. His research interests include applied cryp- articles in ACM CSUR, IEEE TDSC, IEEE TCC, Computer tography, network security, blockchain technologies, and Networks, etc. He served on the program committee of privacy-preserving technologies. Dr. Tian’s recent research several conferences and the editorial member of several works have been published in the cybersecurity-related international journals in information security. His research international conferences and journals, such as USENIX’24, interests include public key cryptography, cloud security, AsiaCCS’24, IEEE TIFS’23, IEEE TDSC’24, etc. and wireless network security. Ziqi Zhang is currently studying for a master’s degree in Cyberspace and Information Security from Xi’an University of Posts and Telecommunications. Her research interests include digital signature security and its applications. 12